Has the FCA CEO Gone Bonkers?

Nikhil Rathi was recently re-appointed as the FCA boss for a further term. He warned in his speech to the Mansion House ‘city dinner’ in late October 2025 that the UK is poorly protected from cyber attacks upon its foreign controlled critical infrastructure; that includes data centres and payment networks.

In earlier Dear CEO letters and more recent FCA communications, he warns that companies are not looking after customer funds, that they should have wind-down plans to prepare for when things go wrong, and that the FCA should be able to 'name and shame’, in special circumstances, those regulated entities that do not follow regulations. From FCA audits of firms, the FCA continues to show that many are not following FCA regulations, including piecemeal support for AML, Consumer Duty and Business Wide Risk Assessments, amongst many other areas of concern.

Earlier this year Rachel Reeves wrote to regulators to 'explain to them’ how the UK needed to become more 'open to business' and where necessary to remove unnecessary regulatory burden from them.

Has Nikhil really gone bonkers with a political ‘death-wish’?  ABSOLUTELY NOT! 

Last week the Cyber Security and Resilience (Network and Information Systems) Bill was published and the UK certainly needs to deal with the millions of system attacks that take place each and every day upon vital infrastructures. So he might not be so mad about that one.

The lack of consistent enforcement and application of regulations, good governance, risk management controls, compliance and regulatory observance is staggering in companies that we visit and view. We see an almost laissez-faire attitude in many regulated entities to either understanding what they should be doing or even their knowledge of requirements.  So again, Nikhil Rathi may not be so bonkers after all.  But what can he do to protect everyone?

Maybe it is time for the FCA to focus on being a conduct regulator and head-down a direction of starting to really enforce and sponsor a mind-set shift in regulated firms to upgrade knowledge, compliance and governance.

The FCA announced in March 2025 that it would abolish the PSR (the economic regulator), and absorb functions into the FCA. Will this help? Will it ever happen? We seem to have a regulator 'without enough teeth’: and the answer should never be to remove the regulator; but to deliver efficient governance and regulatory frameworks.

Arguments and challenges within the financial services community reflect a 'them and us' attitude towards compliance, especially if we compare 'older and larger' regulated entities with the new fintech firms. This is not healthy, as risk-based challenges exist everywhere and no-one should get ‘an easy ride’.

Perhaps Nikhil Rathi can consider a 'fast-track’ route to remove regulated status or correct non-compliance for firms that do not quickly and consistently ‘do what is right’.

Nikhil Rathi’s recent actions and challenge to the financial services sector is appropriate, timely and a call to action for all participants. As a consumer, I WANT protection, so if anything, I want the FCA CEO to be 'more bonkers’!

Kevin Smith and Bill Trueman are directors at Riskskill, and are payments and risk specialists, with over 30 years of experience. For more information about Riskskill visit website at www.riskskill.com